May have found someone riding on my wifi

[OVERKILL]

If the traffic originated from a wired connection, headed to a wired uplink port, a wireless client couldn't see it, unless they had a packet flooding issue. Wired traffic would be switched, not flooded.

If it was a wireless client originating the traffic, the traffic between the client and the server is still protected with https/TLS, so a wireless snooper could see the site they visited (TLS SNI and/or DNS) and some encrypted payload.

Data at rest on their PC or on a NAS, shared, is another story.

I think the concern in this scenario, with the lackadaisical approach to security, is that the router itself could then be easily compromised once network access is gained, which means all manner of MITM sort of attack vectors become possible from setting up interface mirroring to capture all interesting traffic to certificate forgery to capture encrypted payloads.

 

[rijndael]

Yea, I agree, if they also got the router, you get a lot of more flexibility. Depending on the platform, you may even get to manipulate their DNS results.

MITM with a cert forgery is pretty tough since you'd need a trusted root signed cert for it to work, otherwise you're relying on them clicking through the security warning on the client side (if their browser even allows it).

 

[OVERKILL]

Yea, I agree, if they also got the router, you get a lot of more flexibility. Depending on the platform, you may even get to manipulate their DNS results.

Yes, that's not even hard to do and I know of somebody who had their bank account compromised using "Hospital guest wifi" (my guess is that it was somebody transmitting the same SSID) where they unwittingly were redirected to a site setup to look just like their bank site and, since they weren't paying attention to the URL, plugged in their info.

MITM with a cert forgery is pretty tough since you'd need a trusted root signed cert for it to work, otherwise you're relying on them clicking through the security warning on the client side (if their browser even allows it).

Yeah, this isn't your typical script kiddie attack vector for sure, and DNS redirection (using legit certs) is far more likely, but it's certainly possible if somebody has teamed up with a foreign state actor (China/Russia) and part of a "hacking group" associated with them (I'm thinking pawn, not main player here, get the device compromised and on a botnet and then it's accessible to more competent operatives).

Consumer gateway hijacking has become prolific, as it's a great way for foreign actors (state and non) to circumvent geoblocking, using them as proxies or remote consoles.

 

[rijndael]

Consumer gateway hijacking has become prolific, as it's a great way for foreign actors (state and non) to circumvent geoblocking, using them as proxies or remote consoles.

It's pretty interesting that the FBI is now getting court orders to fix & patch compromised home routers.

 

[JHZR2]

I’m pretty sure we get off listed stuff occasionally, and it’s because some devices change MAC addresses or something, so the system doesn’t know what the connected really is.